Allowed operator in Azure Data Explorer RLS function

AdamRnarsson-2213 0 Reputation points
2024-09-26T10:33:04.77+00:00

I'm attempting to implement RLS in ADX on already ingested data. The RLS policy function I'm creating looks like this.


.create-or-alter function with (docstring = 'Restricts access to data.', folder = 'RLS') RestrictAccess(TableName: string) {

    table(TableName)

    | join kind=leftsemi (

            AccessTable

            | extend 

                current_member=case(

                    current_principal_is_member_of('aadgroup=00000000-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'foo',

                    current_principal_is_member_of('aadgroup=11111111-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'bar',

                    current_principal_is_member_of('aadgroup=22222222-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'baz',

                    'unknown'

                )

            | where current_member == groupName

            | distinct deviceId

        ) on deviceId

}

my access table looks like this


.set-or-append async AccessTable with(folder = 'RLS') <|

datatable(deviceId: string, groupName: string)[

    'A0000000-1111-2222-3333-444444444444', 'foo',

    'B0000000-1111-2222-3333-444444444444', 'foo',

    'B0000000-1111-2222-3333-444444444444', 'bar',

    'D0000000-1111-2222-3333-444444444444', 'baz'

];

Then I run the policy like this


.alter table MyTable policy row_level_security enable "RestrictAccess('MyTable')"

However, I get the error


Error

Error during execution of a policy operation: Error in row_level_security query for database("MyDatabase").table("MyTable"): the following operators were blocked: 'summarize' (only the following operators are allowed: 'as', 'distinct', 'extend', 'join', 'limit', 'project', 'project-away', 'project-keep', 'project-rename', 'project-reorder', 'union', 'where')

As you can see, I'm only using allowed operators! What could be the issue?

Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
537 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 14,616 Reputation points
    2024-09-26T16:50:28.7366667+00:00

    Hello AdamRnarsson-2213,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are having issue with Azure Data Explorer RLS function.

    Regarding your explanations, I will advise to check the usage of the distinct operator within your RLS policy function first. Try to remove and see if the error persists.

    This is an example your code snippet without distinct:

    .create-or-alter function with (docstring = 'Restricts access to data.', folder = 'RLS') RestrictAccess(TableName: string) {
        table(TableName)
        | join kind=leftsemi (
            AccessTable
            | extend 
                current_member=case(
                    current_principal_is_member_of('aadgroup=00000000-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'foo',
                    current_principal_is_member_of('aadgroup=11111111-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'bar',
                    current_principal_is_member_of('aadgroup=22222222-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'baz',
                    'unknown'
                )
            | where current_member == groupName
            | project deviceId
        ) on deviceId
    }
    

    Then, make sure there is no implicit use of the summarize operator within your function or any referenced functions and the AccessTable is correctly formatted and does not contain any unexpected data that might cause issues during the join operation. Check out for more about rowl level security https://zcusa.951200.xyz/en-us/kusto/management/row-level-security-policy?view=microsoft-fabric and ingestion error https://zcusa.951200.xyz/en-us/azure/data-explorer/error-codes

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.